Setup SAML SSO for Azure

SETTING UP SAML-SSO

To set up Single Sign-On using a SAML Identity Provider, go to Management >> Integrations and click on Single Sign-On (SSO). Download the metadata URL by clicking on the link from the 'SnapComms Metadata URL'

Enter the details in the Identity Provider (IdP) section as per your IdP's settings including the certificate (.cer) file from your Idp. If the IdP does not support a static metadata URL, click on the Use Identity Provider Metadata File toggle and upload the metadata (.xml) file from your IdP.


It is recommended to use the SnapComms metadata URL whenever possible. If you must import our metadata file manually to your identity provider, please note that SnapComms SAML SSO certificate renews yearly, which may break the trust between SnapComms and your Identity Provider. We recommend setting a calendar reminder to redownload the Metadata from the SnapComms Content Manager to reload the new certificate in your IdP (they may require to download the new certificate from your IdP, and re-upload into SnapComms). SnapComms also expects a SHA256 certificate. 

We also recommend passing the User Principal Name from your IdP as the name attribute as the system uses UPN to match and validate an existing SnapComms user.

 

 

Configuring your Azure SAML Application

  1. From the Azure Portal > Azure Active Directory > Enterprise Applications > click 'New Application' (select Non-gallery), assign an application name, then click the 'Add' button

 

  1. From the Single sign-on menu > select SAML, click on 'Upload metadata file' (your Content Manager’s Metadata file).


     
  2. Copy the App Federation Metadata URL, Azure AD Identifier, and download the Certificate (Base64)


     

4. Go to Users & Groups and assign access to these SAML application.
5. Go back to Management > Integrations > SSO to paste enter the following values

  • Identity Provider ID: (paste the Azure AD Identifier value from Azure)
  • Identity Provider Metadata: (paste the App Federation Metadata URL from Azure)
  • SSO validation certificate: (upload the certificate downloaded from Azure)

Click on the ‘Save’ button.
 

ENABLING SSO FOR CONTENT MANAGER

Enabling the Allow Identity Provider users to access the Content Manager toggle will allow for authorized users to be made an administrator account in SnapComms. Enter the email domain of your Company so when users login to the Content Manager using Company ID, they will be redirected to your IdP.
Note: SnapComms only supports one domain name value for Content Manager SSO validation.

Follow the instructions below to authorize users logging in using SSO as SnapComms Administrators. Make sure that users to be authorized as Administrators exist as a user in the SnapComms platform. To check, go to Users & Groups >> Users.

  1. Save the IdP Configuration
  2. Go to Users & Groups >> Groups
  3. The SSOAdminGroup is automatically created; click on the SSOAdminGroup
  4. Add existing users who should be made administrators to this group.

When the email address of the person trying to login to the Content Manager using SSO matches the email address of a member of the SSOAdminGroup, if the email has not been used as an administrator username, a new Administrator account will be created with a Credential Type of SSO. New automatically created administrators will have all the publishing and targeting permissions but no management access. Setting permissions for administrators is discussed in our Creating Administrators and Setting Permissions article.

Note: User and Administrator accounts are managed separately. Once an Administrator account has been created, removing the matching user from the SSOAdminGroup will not disable the Administrator account.

 

USING SAML SSO TO LOGIN TO THE CONTENT MANAGER

SnapComms currenly supports SP-initiated SSO. To login, from the SnapComms login page, click the Log in with Company ID button.

Enter the company email address matching the email domain defined in the configuration previously saved. Click Continue to start the login workflow in the IdP.


 

Troubleshooting notes:

If an SSO Administrator is not able to log in via the 'Login with Company ID' button, check the following:

  1. From Administrators page > change 'Status' filter and add 'Pending' and 'Inactive', ensure the new SSO admin account is set as active
  2. Check that the name attribute being passed by your IdP is the UPN, as the system uses UPN as the primary matching criteria. Check that a user account exists on the User page and that the UPN format is the same value being passed from your IdP
  3. From the Groups page, check the 'SSOAdmin Group' and ensure the user account is added to this group
  4. A new SSO admin account will have minimum Content Manager permissions, admin settings and access will have to be reviewed and granted (along with assigning First Name and Last Name)

ENABLING SSO FOR MAC AND MOBILE APPS

Enabling the Allow Identity Provider users to access the SnapComms mobile App toggle will allow users to access the SnapComms MAC and Mobile Apps using their company credentials. 

Clicking on the Click here to view mobile App settings link will take you to the Mac & Mobile Settings page. 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.